Fix guide · critical · password_form_over_http

Password field on a page served over plain HTTP

Why it matters

The password is sent over the wire in clear text. Any network observer between the user and your server reads the credentials. Public WiFi captures these wholesale.

How to fix it

1. Get a TLS certificate — Let's Encrypt is free, your hosting provider probably automates it.
2. Force HTTPS with a 301 redirect from http:// to https://.
3. Add HSTS so browsers refuse to make HTTP requests to your domain after the first visit:

`` Strict-Transport-Security: max-age=63072000; includeSubDomains; preload ``

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.